As you know, at Esferize we pay special attention to the security of companies, both physical and digital. Therefore, today we summarise in 10 key points how to protect the cybersecurity of your SME.

1. Risk management

One of the key issues is to know who will be responsible for managing cyber security in companies. You need to be aware of the level of risk you want to take. Investing in security means minimising risks. A security policy should be drawn up to determine what risks you are willing to accept and to ensure that employees understand the importance of their responsibilities in this area.

2. Updated software

It is not enough to buy a firewall and antivirus and forget about it until there is a problem. Update as soon as possible. You can activate the “automatic update” option in many computer security software packages. It is recommended to make an inventory of all technological assets, both hardware and software, as well as to regularly check for possible weaknesses in the system with vulnerability scans. It is highly recommended to do this once a year or whenever there is a major software or hardware change.

3. Protected network

It is important that the company’s network is protected from both external and internal attacks. Check whether the internet provider includes a firewall that monitors network connections for internet access. It should be properly configured and updated when necessary. It is always advisable to consult an expert if you believe that the security of your company’s network has been compromised.

4. The importance of malware

It is not just a matter of installing a simple antivirus. You should have a comprehensive security package that protects your computer and networks from malware, spyware, adware and so on. You should have a daily scan and keep your computer up to date with updates.

5. User privileges

It is vital to control who enters and where they enter an SME’s network systems. Employees must have usernames and passwords. Their privileges in the system will be limited by the administrator, who will be the one to indicate in which folders employees will be able to work in order to carry out their tasks, bypassing the rest of the system. It is recommended to keep sensitive data (accounting, payroll, clients, strategy, etc.) separate and secure.

6. Control of removable devices

It is important for the security of the SME that only CDs, DVDs, USB, SD cards or any kind of flash memory provided by the system administrator are used. It is not a question of becoming a policeman, but of knowing who is using them, where they are and, as far as possible, what they contain. They should also be scanned for malware.

7. Monitoring of networks and services

There are free monitoring or protocol analysis tools that can help detect hardware failures or unusual activity on an SME’s network. If the company is complex and larger, other commercial options that include traffic analysis, IP usage, etc. may be more appropriate.

8. Raising user awareness

Preach so that something remains. As far as possible, employees should be made aware of and apply the security policy that the SME has adopted. The company may consider including this policy in the form of a clause in contracts. Regularly remind staff of good security practices. In relation to social networks, all employees should know how to use them as they represent the company.

9. What to do with employees’ mobile devices

As company employees increasingly use mobile devices, both private and corporate, in their work, they need to be approved by security managers. For example, ensure that they have anti-malware installed and up to date, that they are encrypted, that they can be tracked and remotely wiped if lost or stolen, and that employees will report any incidents with such devices to the company.

10. Business must go on despite incidents

Any eventuality that compromises the company’s technological systems is an incident that interferes with the normal activity of the business. It is therefore necessary to make clear what to do and what not to do in the event of an incident and, if in doubt, to have an external agent available to help the SME to resolve the situation appropriately.

It is important to stress that when dealing with personal data, the Security Document that every company must have according to Organic Law 15/1999, of 13 December, on the Protection of Personal Data, must include, among other things, what is indicated in points 2 (“an inventory of all those technological assets, both hardware and software”), 5 (“It is important to control who enters and where they enter a systems network”) and 6 (“Control of removable devices”).

As always, we invite you to take a closer look at business security on the Internet on our website.

 

Source: EAE Business School